Google has released an emergency security update for the desktop version of Chrome. The fix is for a high-severity flaw tracked as CVE-2022-4135, discovered on November 22 by Clement Lecigne of Google’s Threat Analysis Group (TAG).
While the company has withheld information about the vulnerability to prevent threat actors from exploiting it and giving users more time to install the update. Additionally, the advisory from Google further states that restrictions will be retained in case the bug also exists in a third-party library that other projects might depend on but haven’t yet patched.
What we do know, however, is that the flaw is a heap buffer overflow in GPU, and there is at least one exploit for the vulnerability in the wild. Heap buffer overflows are memory vulnerabilities that cause data to be written in restricted locations without checks.
Attacks can exploit this to overwrite a program’s memory and change the execution path, causing arbitrary code execution or data breaches. The issue is addressed in Chrome version 107.0.5304.121/122 for Windows and version 107.0.5304.122 for macOS and Linux.
This fix also marks the eighth actively exploited zero-day vulnerability that Google has fixed this year. Attackers seem to be highly interested in Chrome, which maintains the top spot in widely used browsers and can carry out rather targeted attacks.
The previous seven fixes patched the following vulnerabilities:
- CVE-2022-0609 – February 14
- CVE-2022-1096 – March 25
- CVE-2022-1364 – April 14
- CVE-2022-2294 – July 4
- CVE-2022-2856 – August 17
- CVE-2022-3075 – September 2
- CVE-2022-3723 – October 28
Users are strongly advised to update Chrome to the latest available version to protect themselves against possible attacks.
You can check out our detailed guide on how to update Google Chrome on PC and smartphones here.
In the News: Review: Maono WM821 dual wireless microphone system
Someone who writes/edits/shoots/hosts all things tech and when he’s not, streams himself racing virtual cars.
You can contact him here: [email protected]